Dataplex defines several Identity and access management (IAM) roles. Each predefined role contains a set of IAM permissions that allow principals to perform certain actions. You can use an IAM policy to give a principal one or more IAM roles.
Identity and Access Management (IAM) also offers the ability to create customized IAM roles. You can create custom IAM roles and assign the role one or more permissions. Then, you can grant the new role to your principals. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles.
This document focuses on the IAM roles relevant to Dataplex.
Before you begin
- Read the IAM documentation.
Dataplex roles
Identity and Access Management (IAM) Dataplex roles are a bundle of one or more
permissions. You grant roles to principals to allow them to perform actions on
the Dataplex resources in your project. For example, the
Dataplex Viewer role contains the dataplex.*.get and
dataplex.*.list permissions, which allow a
user to get and list Dataplex services, resources, and
operations in a project.
Dataplex roles can be applied to any resources in the service hierarchy, including projects, lakes, and data zones.
Basic roles
You can assign basic roles at the project level by using the IAM Project roles. Here is a summary of the permissions associated with IAM Project roles:
| Project Role | Permissions |
|---|---|
| Project Owner | All Project Editor permissions plus permissions to manage access control for the project (get/set IamPolicy) and to set up project billing |
| Project Editor | All Project Viewer permissions plus all project permissions for actions that modify state (create, delete, update, use) |
| Project Viewer | All project permissions for read-only actions that preserve state (get, list) |
Predefined roles
The following table lists the Dataplex predefined (or curated) roles and the permissions associated with each role:
| Role ID | Permissions |
|---|---|
| roles/dataplex.admin | dataplex.*.create dataplex.*.update dataplex.*.delete dataplex.*.get dataplex.*.getData dataplex.*.list dataplex.*.getIamPolicy dataplex.*.setIamPolicy |
| roles/dataplex.editor | dataplex.*.create dataplex.*.update dataplex.*.delete |
| roles/dataplex.viewer | dataplex.*.get dataplex.*.list |
Notes:
- "*" signifies resource types, such as "lakes" or "zones." Some permissions are not defined on certain resource types.
- The
dataplex.adminrole grants full access to all Dataplex resources, including IAM policy administration. - The
dataplex.editorrole grants read and write access to all Dataplex resources. - The
dataplex.viewerrole grants read access to all Dataplex resources. - For data scan resources,
dataplex.datascans.getDatapermission is required to get the full view of the resource. This permission is not included inroles/dataplex.viewerorroles/dataplex.editor. See Data scan permissions and roles for more details.
Data roles
Dataplex defines the following three IAM roles that are intended to be applied to any resource managed by Dataplex:
| Data role | Capabilities | Justification |
|---|---|---|
| roles/dataplex.dataOwner | All permissions on the managed resource. And all permissions on all child resources (regardless of the resource type). | Data owners can update resource metadata, grant higher granularity permissions (for example, on child tables of a BigQuery dataset), and create child resources, in addition to various other permissions. They have complete ownership of the resource. |
| roles/dataplex.dataReader | Ability to read data in the managed resource and its children. And ability to read metadata of the managed resource and its children. | Enables ability to read data and metadata. |
| roles/dataplex.dataWriter | Ability to create/update/delete data (not metadata). | Enables core Dataplex user journeys. |
What's next
- Learn how to create custom IAM roles.
- Learn how to grant and manage roles.
- See the Dataplex IAM permissions mapping.